2 * Author: Tatu Ylonen <ylo@cs.hut.fi>
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * Functions for reading the configuration files.
7 * As far as I am concerned, the code I have written for this software
8 * can be used freely for any purpose. Any derived versions of this
9 * software must be clearly marked as such, and if the derived work is
10 * incompatible with the protocol description in the RFC file, it must be
11 * called by a name other than "ssh" or "Secure Shell".
15 RCSID("$OpenBSD: readconf.c,v 1.72 2001/04/12 19:15:25 markus Exp $");
21 #include "pathnames.h"
29 /* Format of the configuration file:
31 # Configuration data is parsed as follows:
32 # 1. command line options
33 # 2. user-specific file
35 # Any configuration value is only changed the first time it is set.
36 # Thus, host-specific definitions should be at the beginning of the
37 # configuration file, and defaults at the end.
39 # Host-specific declarations. These may override anything above. A single
40 # host may match multiple declarations; these are processed in the order
41 # that they are given in.
47 HostName another.host.name.real.org
54 RemoteForward 9999 shadows.cs.hut.fi:9999
60 RhostsAuthentication no
61 PasswordAuthentication no
65 ProxyCommand ssh-proxy %h %p
72 PasswordAuthentication no
74 # Defaults for various options
78 RhostsAuthentication yes
79 PasswordAuthentication yes
81 RhostsRSAAuthentication yes
84 StrictHostKeyChecking yes
86 IdentityFile ~/.ssh/identity
96 oForwardAgent, oForwardX11, oGatewayPorts, oRhostsAuthentication,
97 oPasswordAuthentication, oRSAAuthentication, oFallBackToRsh, oUseRsh,
98 oChallengeResponseAuthentication, oXAuthLocation,
100 oKerberosAuthentication,
103 oKerberosTgtPassing, oAFSTokenPassing,
105 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
106 oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
107 oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
108 oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
109 oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts,
110 oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
111 oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
112 oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
113 oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication
116 /* Textual representations of the tokens. */
122 { "forwardagent", oForwardAgent },
123 { "forwardx11", oForwardX11 },
124 { "xauthlocation", oXAuthLocation },
125 { "gatewayports", oGatewayPorts },
126 { "useprivilegedport", oUsePrivilegedPort },
127 { "rhostsauthentication", oRhostsAuthentication },
128 { "passwordauthentication", oPasswordAuthentication },
129 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
130 { "kbdinteractivedevices", oKbdInteractiveDevices },
131 { "rsaauthentication", oRSAAuthentication },
132 { "pubkeyauthentication", oPubkeyAuthentication },
133 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
134 { "rhostsrsaauthentication", oRhostsRSAAuthentication },
135 { "hostbaedauthentication", oHostbasedAuthentication },
136 { "challengeresponseauthentication", oChallengeResponseAuthentication },
137 { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
138 { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
140 { "kerberosauthentication", oKerberosAuthentication },
143 { "kerberostgtpassing", oKerberosTgtPassing },
144 { "afstokenpassing", oAFSTokenPassing },
146 { "fallbacktorsh", oFallBackToRsh },
147 { "usersh", oUseRsh },
148 { "identityfile", oIdentityFile },
149 { "identityfile2", oIdentityFile }, /* alias */
150 { "hostname", oHostName },
151 { "hostkeyalias", oHostKeyAlias },
152 { "proxycommand", oProxyCommand },
154 { "cipher", oCipher },
155 { "ciphers", oCiphers },
157 { "protocol", oProtocol },
158 { "remoteforward", oRemoteForward },
159 { "localforward", oLocalForward },
162 { "escapechar", oEscapeChar },
163 { "globalknownhostsfile", oGlobalKnownHostsFile },
164 { "userknownhostsfile", oUserKnownHostsFile },
165 { "globalknownhostsfile2", oGlobalKnownHostsFile2 },
166 { "userknownhostsfile2", oUserKnownHostsFile2 },
167 { "connectionattempts", oConnectionAttempts },
168 { "batchmode", oBatchMode },
169 { "checkhostip", oCheckHostIP },
170 { "stricthostkeychecking", oStrictHostKeyChecking },
171 { "compression", oCompression },
172 { "compressionlevel", oCompressionLevel },
173 { "keepalive", oKeepAlives },
174 { "numberofpasswordprompts", oNumberOfPasswordPrompts },
175 { "loglevel", oLogLevel },
176 { "dynamicforward", oDynamicForward },
177 { "preferredauthentications", oPreferredAuthentications },
182 * Adds a local TCP/IP port forward to options. Never returns if there is an
187 add_local_forward(Options *options, u_short port, const char *host,
192 extern uid_t original_real_uid;
193 if (port < IPPORT_RESERVED && original_real_uid != 0)
194 fatal("Privileged ports can only be forwarded by root.");
196 if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
197 fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION);
198 fwd = &options->local_forwards[options->num_local_forwards++];
200 fwd->host = xstrdup(host);
201 fwd->host_port = host_port;
205 * Adds a remote TCP/IP port forward to options. Never returns if there is
210 add_remote_forward(Options *options, u_short port, const char *host,
214 if (options->num_remote_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
215 fatal("Too many remote forwards (max %d).",
216 SSH_MAX_FORWARDS_PER_DIRECTION);
217 fwd = &options->remote_forwards[options->num_remote_forwards++];
219 fwd->host = xstrdup(host);
220 fwd->host_port = host_port;
224 * Returns the number of the token pointed to by cp or oBadOption.
228 parse_token(const char *cp, const char *filename, int linenum)
232 for (i = 0; keywords[i].name; i++)
233 if (strcasecmp(cp, keywords[i].name) == 0)
234 return keywords[i].opcode;
236 fprintf(stderr, "%s: line %d: Bad configuration option: %s\n",
237 filename, linenum, cp);
242 * Processes a single option line as used in the configuration files. This
243 * only sets those values that have not already been set.
247 process_config_line(Options *options, const char *host,
248 char *line, const char *filename, int linenum,
251 char buf[256], *s, *string, **charptr, *endofnumber, *keyword, *arg;
252 int opcode, *intptr, value;
253 u_short fwd_port, fwd_host_port;
256 /* Get the keyword. (Each line is supposed to begin with a keyword). */
257 keyword = strdelim(&s);
258 /* Ignore leading whitespace. */
259 if (*keyword == '\0')
260 keyword = strdelim(&s);
261 if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
264 opcode = parse_token(keyword, filename, linenum);
268 /* don't panic, but count bad options */
272 intptr = &options->forward_agent;
275 if (!arg || *arg == '\0')
276 fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
277 value = 0; /* To avoid compiler warning... */
278 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
280 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
283 fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
284 if (*activep && *intptr == -1)
289 intptr = &options->forward_x11;
293 intptr = &options->gateway_ports;
296 case oUsePrivilegedPort:
297 intptr = &options->use_privileged_port;
300 case oRhostsAuthentication:
301 intptr = &options->rhosts_authentication;
304 case oPasswordAuthentication:
305 intptr = &options->password_authentication;
308 case oKbdInteractiveAuthentication:
309 intptr = &options->kbd_interactive_authentication;
312 case oKbdInteractiveDevices:
313 charptr = &options->kbd_interactive_devices;
316 case oPubkeyAuthentication:
317 intptr = &options->pubkey_authentication;
320 case oRSAAuthentication:
321 intptr = &options->rsa_authentication;
324 case oRhostsRSAAuthentication:
325 intptr = &options->rhosts_rsa_authentication;
328 case oHostbasedAuthentication:
329 intptr = &options->hostbased_authentication;
332 case oChallengeResponseAuthentication:
333 intptr = &options->challenge_reponse_authentication;
337 case oKerberosAuthentication:
338 intptr = &options->kerberos_authentication;
343 case oKerberosTgtPassing:
344 intptr = &options->kerberos_tgt_passing;
347 case oAFSTokenPassing:
348 intptr = &options->afs_token_passing;
353 intptr = &options->fallback_to_rsh;
357 intptr = &options->use_rsh;
361 intptr = &options->batch_mode;
365 intptr = &options->check_host_ip;
368 case oStrictHostKeyChecking:
369 intptr = &options->strict_host_key_checking;
371 if (!arg || *arg == '\0')
372 fatal("%.200s line %d: Missing yes/no/ask argument.",
374 value = 0; /* To avoid compiler warning... */
375 if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
377 else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
379 else if (strcmp(arg, "ask") == 0)
382 fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
383 if (*activep && *intptr == -1)
388 intptr = &options->compression;
392 intptr = &options->keepalives;
395 case oNumberOfPasswordPrompts:
396 intptr = &options->number_of_password_prompts;
399 case oCompressionLevel:
400 intptr = &options->compression_level;
405 if (!arg || *arg == '\0')
406 fatal("%.200s line %d: Missing argument.", filename, linenum);
408 intptr = &options->num_identity_files;
409 if (*intptr >= SSH_MAX_IDENTITY_FILES)
410 fatal("%.200s line %d: Too many identity files specified (max %d).",
411 filename, linenum, SSH_MAX_IDENTITY_FILES);
412 charptr = &options->identity_files[*intptr];
413 *charptr = xstrdup(arg);
414 *intptr = *intptr + 1;
419 charptr=&options->xauth_location;
423 charptr = &options->user;
426 if (!arg || *arg == '\0')
427 fatal("%.200s line %d: Missing argument.", filename, linenum);
428 if (*activep && *charptr == NULL)
429 *charptr = xstrdup(arg);
432 case oGlobalKnownHostsFile:
433 charptr = &options->system_hostfile;
436 case oUserKnownHostsFile:
437 charptr = &options->user_hostfile;
440 case oGlobalKnownHostsFile2:
441 charptr = &options->system_hostfile2;
444 case oUserKnownHostsFile2:
445 charptr = &options->user_hostfile2;
449 charptr = &options->hostname;
453 charptr = &options->host_key_alias;
456 case oPreferredAuthentications:
457 charptr = &options->preferred_authentications;
461 charptr = &options->proxy_command;
462 string = xstrdup("");
463 while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
464 string = xrealloc(string, strlen(string) + strlen(arg) + 2);
468 if (*activep && *charptr == NULL)
475 intptr = &options->port;
478 if (!arg || *arg == '\0')
479 fatal("%.200s line %d: Missing argument.", filename, linenum);
480 if (arg[0] < '0' || arg[0] > '9')
481 fatal("%.200s line %d: Bad number.", filename, linenum);
483 /* Octal, decimal, or hex format? */
484 value = strtol(arg, &endofnumber, 0);
485 if (arg == endofnumber)
486 fatal("%.200s line %d: Bad number.", filename, linenum);
487 if (*activep && *intptr == -1)
491 case oConnectionAttempts:
492 intptr = &options->connection_attempts;
496 intptr = &options->cipher;
498 if (!arg || *arg == '\0')
499 fatal("%.200s line %d: Missing argument.", filename, linenum);
500 value = cipher_number(arg);
502 fatal("%.200s line %d: Bad cipher '%s'.",
503 filename, linenum, arg ? arg : "<NONE>");
504 if (*activep && *intptr == -1)
510 if (!arg || *arg == '\0')
511 fatal("%.200s line %d: Missing argument.", filename, linenum);
512 if (!ciphers_valid(arg))
513 fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
514 filename, linenum, arg ? arg : "<NONE>");
515 if (*activep && options->ciphers == NULL)
516 options->ciphers = xstrdup(arg);
521 if (!arg || *arg == '\0')
522 fatal("%.200s line %d: Missing argument.", filename, linenum);
524 fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
525 filename, linenum, arg ? arg : "<NONE>");
526 if (*activep && options->macs == NULL)
527 options->macs = xstrdup(arg);
531 intptr = &options->protocol;
533 if (!arg || *arg == '\0')
534 fatal("%.200s line %d: Missing argument.", filename, linenum);
535 value = proto_spec(arg);
536 if (value == SSH_PROTO_UNKNOWN)
537 fatal("%.200s line %d: Bad protocol spec '%s'.",
538 filename, linenum, arg ? arg : "<NONE>");
539 if (*activep && *intptr == SSH_PROTO_UNKNOWN)
544 intptr = (int *) &options->log_level;
546 value = log_level_number(arg);
547 if (value == (LogLevel) - 1)
548 fatal("%.200s line %d: unsupported log level '%s'",
549 filename, linenum, arg ? arg : "<NONE>");
550 if (*activep && (LogLevel) * intptr == -1)
551 *intptr = (LogLevel) value;
556 if (!arg || *arg == '\0')
557 fatal("%.200s line %d: Missing argument.", filename, linenum);
558 if (arg[0] < '0' || arg[0] > '9')
559 fatal("%.200s line %d: Badly formatted port number.",
561 fwd_port = atoi(arg);
563 if (!arg || *arg == '\0')
564 fatal("%.200s line %d: Missing second argument.",
566 if (sscanf(arg, "%255[^:]:%hu", buf, &fwd_host_port) != 2)
567 fatal("%.200s line %d: Badly formatted host:port.",
570 add_remote_forward(options, fwd_port, buf, fwd_host_port);
575 if (!arg || *arg == '\0')
576 fatal("%.200s line %d: Missing argument.", filename, linenum);
577 if (arg[0] < '0' || arg[0] > '9')
578 fatal("%.200s line %d: Badly formatted port number.",
580 fwd_port = atoi(arg);
582 if (!arg || *arg == '\0')
583 fatal("%.200s line %d: Missing second argument.",
585 if (sscanf(arg, "%255[^:]:%hu", buf, &fwd_host_port) != 2)
586 fatal("%.200s line %d: Badly formatted host:port.",
589 add_local_forward(options, fwd_port, buf, fwd_host_port);
592 case oDynamicForward:
594 if (!arg || *arg == '\0')
595 fatal("%.200s line %d: Missing port argument.",
597 if (arg[0] < '0' || arg[0] > '9')
598 fatal("%.200s line %d: Badly formatted port number.",
600 fwd_port = atoi(arg);
601 add_local_forward(options, fwd_port, "socks4", 0);
606 while ((arg = strdelim(&s)) != NULL && *arg != '\0')
607 if (match_pattern(host, arg)) {
608 debug("Applying options for %.100s", arg);
612 /* Avoid garbage check below, as strdelim is done. */
616 intptr = &options->escape_char;
618 if (!arg || *arg == '\0')
619 fatal("%.200s line %d: Missing argument.", filename, linenum);
620 if (arg[0] == '^' && arg[2] == 0 &&
621 (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
622 value = (u_char) arg[1] & 31;
623 else if (strlen(arg) == 1)
624 value = (u_char) arg[0];
625 else if (strcmp(arg, "none") == 0)
628 fatal("%.200s line %d: Bad escape character.",
631 value = 0; /* Avoid compiler warning. */
633 if (*activep && *intptr == -1)
638 fatal("process_config_line: Unimplemented opcode %d", opcode);
641 /* Check that there is no garbage at end of line. */
642 if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
643 fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
644 filename, linenum, arg);
651 * Reads the config file and modifies the options accordingly. Options
652 * should already be initialized before this call. This never returns if
653 * there is an error. If the file does not exist, this returns immediately.
657 read_config_file(const char *filename, const char *host, Options *options)
665 f = fopen(filename, "r");
669 debug("Reading configuration data %.200s", filename);
672 * Mark that we are now processing the options. This flag is turned
673 * on/off by Host specifications.
677 while (fgets(line, sizeof(line), f)) {
678 /* Update line number counter. */
680 if (process_config_line(options, host, line, filename, linenum, &active) != 0)
685 fatal("%s: terminating, %d bad configuration options",
686 filename, bad_options);
690 * Initializes options to special values that indicate that they have not yet
691 * been set. Read_config_file will only set options with this value. Options
692 * are processed in the following order: command line, user config file,
693 * system config file. Last, fill_default_options is called.
697 initialize_options(Options * options)
699 memset(options, 'X', sizeof(*options));
700 options->forward_agent = -1;
701 options->forward_x11 = -1;
702 options->xauth_location = NULL;
703 options->gateway_ports = -1;
704 options->use_privileged_port = -1;
705 options->rhosts_authentication = -1;
706 options->rsa_authentication = -1;
707 options->pubkey_authentication = -1;
708 options->challenge_reponse_authentication = -1;
710 options->kerberos_authentication = -1;
713 options->kerberos_tgt_passing = -1;
714 options->afs_token_passing = -1;
716 options->password_authentication = -1;
717 options->kbd_interactive_authentication = -1;
718 options->kbd_interactive_devices = NULL;
719 options->rhosts_rsa_authentication = -1;
720 options->hostbased_authentication = -1;
721 options->fallback_to_rsh = -1;
722 options->use_rsh = -1;
723 options->batch_mode = -1;
724 options->check_host_ip = -1;
725 options->strict_host_key_checking = -1;
726 options->compression = -1;
727 options->keepalives = -1;
728 options->compression_level = -1;
730 options->connection_attempts = -1;
731 options->number_of_password_prompts = -1;
732 options->cipher = -1;
733 options->ciphers = NULL;
734 options->macs = NULL;
735 options->protocol = SSH_PROTO_UNKNOWN;
736 options->num_identity_files = 0;
737 options->hostname = NULL;
738 options->host_key_alias = NULL;
739 options->proxy_command = NULL;
740 options->user = NULL;
741 options->escape_char = -1;
742 options->system_hostfile = NULL;
743 options->user_hostfile = NULL;
744 options->system_hostfile2 = NULL;
745 options->user_hostfile2 = NULL;
746 options->num_local_forwards = 0;
747 options->num_remote_forwards = 0;
748 options->log_level = (LogLevel) - 1;
749 options->preferred_authentications = NULL;
753 * Called after processing other sources of option data, this fills those
754 * options for which no value has been specified with their default values.
758 fill_default_options(Options * options)
762 if (options->forward_agent == -1)
763 options->forward_agent = 0;
764 if (options->forward_x11 == -1)
765 options->forward_x11 = 0;
767 if (options->xauth_location == NULL)
768 options->xauth_location = XAUTH_PATH;
769 #endif /* XAUTH_PATH */
770 if (options->gateway_ports == -1)
771 options->gateway_ports = 0;
772 if (options->use_privileged_port == -1)
773 options->use_privileged_port = 0;
774 if (options->rhosts_authentication == -1)
775 options->rhosts_authentication = 1;
776 if (options->rsa_authentication == -1)
777 options->rsa_authentication = 1;
778 if (options->pubkey_authentication == -1)
779 options->pubkey_authentication = 1;
780 if (options->challenge_reponse_authentication == -1)
781 options->challenge_reponse_authentication = 0;
783 if (options->kerberos_authentication == -1)
784 options->kerberos_authentication = 1;
787 if (options->kerberos_tgt_passing == -1)
788 options->kerberos_tgt_passing = 1;
789 if (options->afs_token_passing == -1)
790 options->afs_token_passing = 1;
792 if (options->password_authentication == -1)
793 options->password_authentication = 1;
794 if (options->kbd_interactive_authentication == -1)
795 options->kbd_interactive_authentication = 1;
796 if (options->rhosts_rsa_authentication == -1)
797 options->rhosts_rsa_authentication = 1;
798 if (options->hostbased_authentication == -1)
799 options->hostbased_authentication = 0;
800 if (options->fallback_to_rsh == -1)
801 options->fallback_to_rsh = 0;
802 if (options->use_rsh == -1)
803 options->use_rsh = 0;
804 if (options->batch_mode == -1)
805 options->batch_mode = 0;
806 if (options->check_host_ip == -1)
807 options->check_host_ip = 1;
808 if (options->strict_host_key_checking == -1)
809 options->strict_host_key_checking = 2; /* 2 is default */
810 if (options->compression == -1)
811 options->compression = 0;
812 if (options->keepalives == -1)
813 options->keepalives = 1;
814 if (options->compression_level == -1)
815 options->compression_level = 6;
816 if (options->port == -1)
817 options->port = 0; /* Filled in ssh_connect. */
818 if (options->connection_attempts == -1)
819 options->connection_attempts = 4;
820 if (options->number_of_password_prompts == -1)
821 options->number_of_password_prompts = 3;
822 /* Selected in ssh_login(). */
823 if (options->cipher == -1)
824 options->cipher = SSH_CIPHER_NOT_SET;
825 /* options->ciphers, default set in myproposals.h */
826 /* options->macs, default set in myproposals.h */
827 if (options->protocol == SSH_PROTO_UNKNOWN)
828 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
829 if (options->num_identity_files == 0) {
830 if (options->protocol & SSH_PROTO_1) {
831 len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1;
832 options->identity_files[options->num_identity_files] =
834 snprintf(options->identity_files[options->num_identity_files++],
835 len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY);
837 if (options->protocol & SSH_PROTO_2) {
838 len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
839 options->identity_files[options->num_identity_files] =
841 snprintf(options->identity_files[options->num_identity_files++],
842 len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);
844 len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
845 options->identity_files[options->num_identity_files] =
847 snprintf(options->identity_files[options->num_identity_files++],
848 len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
851 if (options->escape_char == -1)
852 options->escape_char = '~';
853 if (options->system_hostfile == NULL)
854 options->system_hostfile = _PATH_SSH_SYSTEM_HOSTFILE;
855 if (options->user_hostfile == NULL)
856 options->user_hostfile = _PATH_SSH_USER_HOSTFILE;
857 if (options->system_hostfile2 == NULL)
858 options->system_hostfile2 = _PATH_SSH_SYSTEM_HOSTFILE2;
859 if (options->user_hostfile2 == NULL)
860 options->user_hostfile2 = _PATH_SSH_USER_HOSTFILE2;
861 if (options->log_level == (LogLevel) - 1)
862 options->log_level = SYSLOG_LEVEL_INFO;
863 /* options->proxy_command should not be set by default */
864 /* options->user will be set in the main program if appropriate */
865 /* options->hostname will be set in the main program if appropriate */
866 /* options->host_key_alias should not be set by default */
867 /* options->preferred_authentications will be set in ssh */